Application governance in Entra is a hot topic these days, especially in the context of zero trust, where we aim for least-privilege access in terms of Graph API permissions, explicitly verify the identities of publishers and people in our organizations and assume breach. Many organizations are decommissioning Active Directory Federation Services (AD FS) and switching to Entra ID to authenticate and authorize their Software as a Service (SaaS) and homegrown web applications. Their business cases are clear:
- Reduce costs, complexity and (in most cases) systems running legacy versions of Windows Server.
- Gain the automatic scale and flexibility to meet the organizational needs towards Software as a Service (SaaS) apps.
- Gain identity detection and threat response features that are an integral part of Entra licenses.
- Improve the user experience for people who work in other geographies than the one(s) where AD FS is hosted.
- Provide self-service password reset and password-less authentication options.
Managing Entra ID is not for the faint of heart. Microsoft services change far more regularly than the Windows Server operating systems did. Documentation lags. Certifications need yearly upkeeping. Settings need to be managed in several portals and can be ridiculously complex to manage at scale.
One particularly complex area of Entra ID is application management. The new model, based on service principals, API permissions and settings for modern authentication protocols, is nothing like providing access to an application in the world of Active Directory. This is for a good reason, as today’s Internet-connected world requires more secure settings and protocols.
Applications in Entra are mostly misunderstood and they tend to be a blind spot that many organizations have not yet illuminated. Heck, even Microsoft doesn’t get their applications or administrative roles right, resulting in the mailboxes of their top brass getting compromised and thousands of Entra tenants getting compromised monthly.
It's an ecosystem
I’ve worked with many organizations to address their Entra application governance issues. These organizations were able to limit the permissions on their enterprise applications and application registrations, but for some applications, we must move up the supply chain. Examining our results led to three distinct discoveries:
Assigning least administrative permissions for 3rd party applications sometimes fails
Certain API permission combinations and privilege roles allow Entra ID applications to be abused to ultimately gain global administrator privileges. Removing high-risk permissions from this app obviously limits the functionality of the application that uses these permissions, but may also lead to the application breaking, when it checks for the permissions during startup or run…
Veeam’s Backup for Microsoft 365 v7 solution is a prime example. It shows up in several reports for several of its traits. The immediate issue is the combination of Cloud Application Administrator role (assigned to its enterprise application), the EWS.AccessAsUser.All, and EWS.full_access_as_app permissions (assigned to the app registration) allow it to be abused to gain global administrator privileges in a supply chain attack.
I brought it to the attention of the people at Veeam. Mike Resseler, Director of Product Management at Veeam, has indicated that they are working on applying the principle of least administrative privilege further in their software. It takes time.
Some applications still use the Windows Azure Active Directory API
Another issue that we see with 3rd party solutions is the insisted use of the now deprecated Windows Azure Active Directory API User.Read.All permissions, instead of the Microsoft Graph API permissions to read Entra objects.
While existing Entra apps can continue to address the Windows Azure Active Directory API without problems, applications that are newly onboarded since June 30th, 2024, receive HTTP 403 errors, unless specifically configured.
The access through the Windows Azure Active Directory API is primarily used to support people picker functionality in apps. Breaking this access can have a severe impact on applications using this access. Yet, one in roughly eight applications typically still use User.Read.All permissions to the Windows Azure Active Directory API. We typically encounter these situations when:
- Microsoft’s communications may not have reached these vendors.
- Vendors may not know how to address this issue.
- Customers may be stuck with older versions of the apps or earlier iterations of permission sets.
All these situations require interaction with the vendor to resolve. This takes time.
Some vendors don’t follow the principle of least privilege access
While User.Read.All feels like the least privilege to support people picker functionality, it might not be. In January 2024, Microsoft made the User.BasicRead.All permission available for both delegated and app-only access. This specific API permission provides information on the userPrincipalName, displayName, first and last name, email address, and photo for the people in your organization. In most cases, this limited access to people’s information should suffice.
The least privilege User.BasicRead.All permissions has been available for over half a year. Yet, I have only seen a handful of ISVs use it… You guessed it: it takes time.
Imagine…
To paraphrase John Lennon’s inspiring song…
Imagine there's no app misconfigs. It isn't hard to do.
Nothing to kill or die for. And no breaches too.
Imagine all the vendors sharing all that’s good…
I am imagining this. I believe in working with application vendors and getting them to embrace recommended practices. It takes time and requires endurance and a community commitment to improving security at each step.
Community-based resources
I have been working with ENow Software to create, maintain, and expand their Application Governance solutions for the past few years. One of my guiding principles was that our insights into Entra application management should be included in free resources for everyone. We’ve delivered on that promise with several Community resources for organizations to start moving towards a more secure future:
Application governance and security are newer initiatives for many organizations. Many organizations do not have an internal expert in this area. In fact, many organizations are still figuring out who should even own this responsibility. The AppGov Community Forum is a free site moderated by Microsoft Identity & Security MVPs, like me who will answer your Entra ID application questions and curiosities. Identity admins, developers, and other professionals can share their experiences, hear how others are solving the problem, and escalate application issues to Vendors using our community networks.
- AppGov Score – the free Application Governance Scorecard
Not sure where to start? This scorecard and assessment can be a logical first step. To improve anything, you must first know your current state. AppGov Score will scan your Entra ID applications and grade the security of your Enterprise Applications, Application Registrations, Tenant Settings. The Hunting Analysis will show if your apps are at risk of being exploited by known attackers and permission gaps.
In addition to the Community Site and AppGov Score, ENow works with several Microsoft MVPs to publish quality blog content each week. Their blogs include practical how-to tips that explain what the risks are and how to solve them. Here are a few recent titles for reference:
- Microsoft Entra Roles & Application Access
- Authenticating to the Microsoft Graph API with PowerShell
Note:
ENow’s Application Governance solution is completely separate from the Microsoft Application Governance feature and does not require expensive Microsoft licenses. In the same way, ENow’s AppGov Score is completely different from Microsoft’s Identity Secure Score.
With the information from the scorecard, admins can fiddle around with their favorite scripting or development tools to pinpoint and remediate the surfaced misconfigurations. Alternatively, they can upgrade to the paid App Governance Accelerator to get this information at their fingertips and continuously track progress, set alerts, and address recurring situations through automated workflows.
Join us!
If you have any questions on Entra applications, ask them on ENow’s Application Governance Community. With several other Microsoft Most Valuable Professionals (MVPs), we’re monitoring the forum to get you the best Entra ID app security guidance going forward.
You may say I'm a dreamer, but I'm not the only one.
I hope someday you'll join us, and the ecosystem will be as one…
Login